On new hardware, the Windows 8 secure boot feature will prevent the booting of …

Share this story

PC users who run Windows and Linux on the same machine will want to do some research before purchasing a Windows 8 computer. That's because systems with a "Designed for Windows 8" logo must ship with UEFI secure booting enabled—a move that prevents booting operating systems that aren’t signed by a trusted Certificate Authority.

This could pose a problem for Linux users, though in practice most can just change UEFI settings to disable secure boot before installing the open-source OS. But users will have to depend on hardware vendors to make this option possible in the first place.

Disabling secure boot

“Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled,” Red Hat developer Matthew Garrett writes on his blog in reference to a recent presentation by Microsoft program manager Arie van der Hoeven. The Microsoft exec notes that UEFI and secure boot are “required for Windows 8 client” with the result that “all firmware and software in the boot process must be signed by a trusted Certificate Authority.”

Microsoft has a good reason for this. A “growing class of malware targets the boot path [and] often the only fix is to reinstall the operating system,” van der Hoeven said. “UEFI and secure boot harden the boot process [and] reduce the likelihood of bootkits, rootkits and ransomware.”

Importantly, though, Garrett writes that “there’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code.”

For many (and hopefully most) Windows 8 machines, this means that users have a good chance of successfully entering the UEFI settings interface to turn off secure boot. But this will depend on the hardware vendor.

“Experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market,” Garrett writes. “It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't. It's probably not worth panicking yet. But it is worth being concerned.”

Technically, vendors can ship Windows 8 PCs without meeting Microsoft's "designed for Windows 8" logo requirements, but major OEMs typically would not do that.

The Windows 8 developer tablet Microsoft handed out at this month’s BUILD conference did include the ability to turn off the secure boot process. This is reminiscent of Google’s Cr-48 Chromebook, which allowed users to turn off the Verified Boot process and install another operating system, though this involved flipping a physical switch instead of changing a software setting.

A signed OS

Besides disabling the Windows 8 secure boot process, another option for Linux lovers is installing a signed version of Linux. But “this poses several problems,” Garrett notes. “Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by every OEM.”

Current machines dual-booting Windows 7 and Linux should be able to upgrade to Windows 8 without wiping out the Linux install. As Microsoft notes in the Building Windows 8 blog, “We will continue to support the legacy BIOS interface.” However, machines using UEFI instead of BIOS “will have significantly richer capabilities” including faster boot times and greater security.

Ultimately, the Windows 8 changes aren’t likely to wipe out Linux dual-boot scenarios, but they could restrict the types of hardware that will allow them. PC users who would boot two operating systems tend to be highly technical, though, so we expect they’ll find the necessary workarounds.

378 Reader Comments

I don't fully understand how GPL3 prevents releasing a signed boatloader for Linux. Could someone elaborate on that? Also, on a slightly unrelated note, why are people still dual booting? Hardware is so cheap these days, and very good VMs are available for either booting Linux under Windows or vice versa.

Again how? The article already states that Windows 8 PCs can be shipped on computers that don't meet the "Designed for Windows 8" requirements. UEFI is not a required layer for all Windows 8 PCs. And today, Windows 8 is already able to be installed via Boot Camp.

You can ship a PC without the "Designed for Windows 8" sticker, but no major OEM would dare do that.

Existing leaked builds of Windows 8 can be installed via Boot Camp, but they likely don't have this feature turned on yet. If they did, most people wouldn't be able to test it because they don't have the hardware for it yet. The question is whether or not retail builds of Windows 8 will work in Boot Camp. I'm assuming no.

Do you really want to run an operating system whose vendor has confessed that they cannot prevent user space from taking over your boot loader?

You are assuming that there can be absolute certainty of security, an impossibility, No OS can provide 100% certainty of security.

You are saying "I want to run an operating system whose vendor can prevent user space from taking over the boot loader." Name one OS that can assure that with 100% certainty.

What Microsoft is doing makes complete sense... for the 99.9% of users that will run in single boot and couldn't careless about Linux it is offering significant boot path security. The 1/10th of 1 percent that need dual boot will just have to find a way to do so, and allow Microsoft to add the necessary boot loader security as part of the OS.

Is it just me or does it seem like GPLv3 screwed some users out of security?

Just you. There is no reason why hardware vendors can't provide self-signing keys to users to allow them to sign their own software. This complies with the GPLv3 and provides the additional boot-sector malware protection that they are aiming for. There is also no reason why they couldn't trust code signed by major Linux distributors, to make things more convenient if you aren't compiling your own kernel/bootloader.

Entegy wrote:

Nomeya wrote:

Incoming EU court ruling in 3... 2... 1...

How? If the GPLv3 is stopping Linux distros from taking advantage of hardware security, why is that Microsoft's fault?

It's neither Microsoft fault nor GPLv3's fault. It is the hardware manufacture's fault for making themselves the sole arbitrators of who is and isn't trusted to install software on the hardware I bought from them. If some of them choose to only allow software signed by Microsoft, then they could certainly find themselves in the sights of antitrust regulators.

Why exactly does Windows 8 need this signed-boot option to provide security when Linux, BSD, Mac and every other OS has provided better security without it?

Those OS's got around the problem by avoiding the dreaded "popularity" and "ubiquity" of Windows, so it not persued nearly as hard as an attack vector.

Any OS that uses a real-mode bootstrap process is vulnerable to unaproved code being injected and taking over, regardless of your religious concern about its inherent superiority.

It's not 1985 anymore. Most people don't boot off of random removable media any more. If your OS is rooted, then it got rooted through an entirely different attack vector. Trying to lock the barn door after the barn has burned down won't help a d*mn thing.

The only thing this does is makes it harder for alternate OS users.

It doesn't add a thing to "security".

This.

Is there actually any evidence that boot viruses have become that much more numerous lately?

I have tested this OS for 1 hour and I have got to say it is the worst. Apparently Microshaft doesn't agree with the file systems that Linux supports. I was dual booting Ubuntu with XP. Ubuntu was running great and so was XP, but the moment Windows developer preview came in, it completely thrashed my SATA drive. Boy was I in great disappointment. Although it is an OS made to be installed on tablet PC's I will never let this crapware enter my house again. Windows 7 is enough for me and will stay that way. /failclap to Microshaft.

What part of preview don't you get? This software is somewhere between an alpha and a beta version and is probably a year from being released. The term staggeringly stupid seems to come to mind when it comes to people like you. I've been seeing this WAY too often since the preview was released. People screenching like baboons that OMG this sucks and that UI is going to destroy Microsoft. (Never mind you can turn it off, but why let a little fact like that disrupt your FUD.) What do you think OS X is like a year out from being released? Oh that's right Apple doesn't let anyone see how ugly it can get until the OS is ready.

MS is allowing developers to play with the OS to prep their wares, not to appease people like you who think the OS should be flawless now....NOW NOW NOW....stop throwing a temper tantrum and give it 8 months and THEN lets see where Windows 8 is when it comes to your complaints. See the thing is its the Evangelists who are the ones up in arms. Its the Linux and Apple fanbois who are on high alert to spread as much FUD as possible, and I don't get why. If Windows sucks that much you shouldn't have to do anything other then sit back and let it implode on itself. But of course it isn't. So you have to be proactive about kicking Windows.

↓ Moderation: Make your point without insulting people

The term staggeringly stupid seems to come to mind when it comes to people like you.

If you are going to run a DIY OS you should build a DIY computer. I mean... you aren't going to get a $BrandName$ with Win 8 OEM preloaded just to wipe it and install Linux, will you? No. Get a gaming motherboard with no secure anything and run Linux.

And for people who would like a laptop?

AVADirect, iBuyPower, Sager

It's unlikely any of these companies would limit the OS of their systems- since they're the DIYer's laptop shops, and they know it.

Why exactly does Windows 8 need this signed-boot option to provide security when Linux, BSD, Mac and every other OS has provided better security without it?

Those OS's got around the problem by avoiding the dreaded "popularity" and "ubiquity" of Windows, so it not persued nearly as hard as an attack vector.

Any OS that uses a real-mode bootstrap process is vulnerable to unaproved code being injected and taking over, regardless of your religious concern about its inherent superiority.

It's not 1985 anymore. Most people don't boot off of random removable media any more. If your OS is rooted, then it got rooted through an entirely different attack vector. Trying to lock the barn door after the barn has burned down won't help a d*mn thing.

The only thing this does is makes it harder for alternate OS users.

It doesn't add a thing to "security".

Uhhh. What?

If a rootkit compromises the boot path--and there are rootkits that do so--then secure boot will detect that rootkit and prevent the system from running. This alerts the user to the problem and enables a solution to be sought.

If a substantial number of systems include this kind of protection, it will mean that attacking the boot path is no longer tenable for rootkits. A rootkit that renders every machine it's installed onto unbootable will not be very successful.

You can complain that it's "too late" all you like: every general-purpose operating system that's even remotely viable on the desktop (Windows, Linux, Mac OS X) suffers from privilege escalation flaws, and--at present--every privilege escalation flaw can be used to attack the boot path. Making such attacks (a) easy to detect (b) useless as a means of compromising the machine is entirely desirable.

Gotta wonder why *anyone* actually believes that manufacturers will, if they go Microsoft's route, allow a bypass for the UEFI? Common sense says that the ONLY way such a system can work is if there is no way to turn it off or otherwise bypass it.

If *I* buy a computer requiring a signed bootloader and install an OS with a compatible, signed, GPLv3 bootloader on it, I'm not redistributing the code.

Correct, however the vendor that you got the GPLv3 bootloader would need to give you the key used to sign the bootloader. They may not have implemented the system, but they are certainly complicit if their key is present on the device.

No. Red Hat and Canonical distribute RPMs/Debs of Grub2 signed with their keys right now. They most definitely don't give me access to those keys. No one has suggested this is a violation of the GPLv3.

Three points on the issue of the trust chain:

* The public keys for trusting their signatures are downloadable by anyone. If a computer vendor decided to trust Red Hat's signatures by installing their public keys, it wouldn't require any involvement by Red Hat itself. It's not clear how the GPLv3 could affect this arrangement. * The firmware may not trust individual keys; it may trust root certificates. If Red Hat signs its code with a certificate trusted by a root that happens to be trusted by, say, Dell's firmware, it seems like an awfully big leap to say the GPLv3 could stop this, whether Red Hat is complicit or not. * Even if Red Hat worked directly with Dell to have their keys (not just some root authority they happened to use) trusted for boot on Dell's machines, it's not clear how the GPLv3 would stop them. It's still not Red Hat that's requiring any key to install or use the software; their stuff runs fine on machines with non-signature-aware bootloaders.

Is there actually any evidence that boot viruses have become that much more numerous lately?

Yes, actually. There are now rootkits in the wild that attack the boot path. They do this typically to circumvent the driver signing requirement found in 64-bit Windows; by modifying the boot loader they can force Windows into its "don't force driver signing" mode, allowing them to much more easily load malicious kernel-mode code.

Oh I'm sorry, Win 8 takes advantage of new features of UEFI; but the linux community at large is stuck in 1989, and does not support UEFI yet. Therefore Microsoft is evil. Did I do it right?

And as far as netbooks, tablets, and smartphones; the implication that you MUST be allowed to install Linux on something, is about as retarded as me saying I MUST be allowed to install Windows on an iPad 2.

So can they just get their way around this by making Windows 8 Ultimate also a hypervisor so you can choose to "reboot into [FooOS]" where windows starts up and then just boots the other OS as a guest?

for once this not an microsoft working hard to kill an another os. Microsoft is actively trying to secure Windows at all levels and a good way to fight boot sector malware is to require that UEFI be secured. The OSS people wrote the GPLv3 to strike back at novell for seeking to work with microsoft and actually respect software patents only to have the same rules bite them in the arse by preventing them from using secure booting on modern hardware and haveing to publish the keys on the open web and diminishing the point of the key. oddly enough secure boot is what apple uses to prevent osx from booting on non apple systems. This may also get used to secure branded oem media from being sold not that will last long.

No. Red Hat and Canonical distribute RPMs/Debs of Grub2 signed with their keys right now. They most definitely don't give me access to those keys. No one has suggested this is a violation of the GPLv3.

Because they are not used to enforce exclusive operation on a system. Currently, it isn't an issue because no systems released with Redhat/Ubuntu loaded on them bar the user from altering the system.

I expect that Microsoft is banking on a number of things:

* Vendors will do the bare minimum to ensure the secure path, and not bother to give an out.* If they do, it will be on significantly more expensive units so as to discourage use of non-Microsoft software* Their hold on the market to "encourage" such actions.

jeffpiatt wrote:

for once this not an microsoft working hard to kill an another os.

You sure? Claims of security can be a guise for many things.

Quote:

The OSS people wrote the GPLv3 to strike back at novell for seeking to work with microsoft and actually respect software patents only to have the same rules bite them in the arse by preventing them from using secure booting on modern hardware and haveing to publish the keys on the open web and diminishing the point of the key.

The FSF wrote the GPLv3 to eliminate this nonsense of dodging the GPL via TiVOization, and to minimize the risk of patent suits, not to spite Novell.

This isn't an anti-competitive move, no matter how much you might argue otherwise. As I mentioned before, there will be plenty of hardware Linux will be able to use, and non-OEMs are pretty-much guaranteed to give that user and option.

Maybe. We don't know yet. But as hard as you fight to defend them, Microsoft has a known history. Consider that in your arguments.

Quote:

MS doesn't care about Linux on the desktop enough to worry about boot options like this. It is exactly what it says. Securing the boot path. I've had to clean enough nasty stuff off of other people's computers to appreciate that.

MS definitely cares. They hate Linux. They'd love to see it, the GPL, and everything it covers burned and buried. And I have see nothing in the last 10 years that indicates their position has changed.

So can they just get their way around this by making Windows 8 Ultimate also a hypervisor so you can choose to "reboot into [FooOS]" where windows starts up and then just boots the other OS as a guest?

oddly microsoft seems to be planning to have Windows Virtual PC evolve closer to Hyper V and in pro versions of the os let you install the linux on an bootable VHD and select it from the new boot manager. Microsoft does not care if you run linux as long as it's in an VHD on an windows server box.

It's becoming an issue how much of a non-issue this is. Anyone who thinks that there will be no hardware options for people who want to dual-boot OSes is naive at best. If there is a market, the market will be served. Especially, if all that is required to serve the market is enabling an option in the UEFI.

You guys are out of your gourds. Plenty of people run Linux on commodity hardware, because commodity hardware is cheap.

I'm sure there's some overlap between the system-builder and Linux demographics, but it isn't as extensive as y'all seem to assume. System builders, to my knowledge, are 90% gamers. Guess what OS they're running?

The Red Hat guy is right to be concerned. Locked-down OEM hardware will definitely negatively affect Linux's ease of availability, keeping the "desktop Linux" we all keep waiting for even further from reality

They respect their customers enough to give them solutions they require. But yes as a corporation they hate it, and I'm sure doing the work to add that support did not please the higher ups in the business.

I guess this may become an issue for me in 20 years when I find someone tossed an old comp on the curb for the trash man, I decide to scounge it, take it back home, try to load Linux on it since I don't have a Windows CD, then find out it's an OEM with UEFI locked down in the BIOS.

Microsoft could have approached this problem by sandboxing the boot loader and forbidding anything from writing to it while Windows is running. They opted for another solution that restricts you from running other operating systems.

I think Windows 7 already does that, but once malware escalates into the kernel it can turn off any boot loader write protection and then install a bootkit.

Again how? The article already states that Windows 8 PCs can be shipped on computers that don't meet the "Designed for Windows 8" requirements. UEFI is not a required layer for all Windows 8 PCs. And today, Windows 8 is already able to be installed via Boot Camp.

You can ship a PC without the "Designed for Windows 8" sticker, but no major OEM would dare do that.

Existing leaked builds of Windows 8 can be installed via Boot Camp, but they likely don't have this feature turned on yet. If they did, most people wouldn't be able to test it because they don't have the hardware for it yet. The question is whether or not retail builds of Windows 8 will work in Boot Camp. I'm assuming no.

Read the article. Windows 8 will support legacy BIOS and non-Secure Boot UEFI configurations. Secure boot is a requirement only to receive the "Designed for Windows 8" sticker.

How? If the GPLv3 is stopping Linux distros from taking advantage of hardware security, why is that Microsoft's fault?

The EU demanded that Microsoft support interoperability with other products. Requiring hardware manufacturers to support a feature that all but blocks other OSes could be seen as illegal anti-competitive behavior. The EU has already fined Microsoft twice for lesser behavior.

I know Macs use EFI, but do they use UEFI? Will this block Windows installs via Bootcamp on Apple hardware?

No, it just means macs wont be able to include the "Designed for Windows 8" mark - not that they include windows marks as it is.

They respect their customers enough to give them solutions they require. But yes as a corporation they hate it, and I'm sure doing the work to add that support did not please the higher ups in the business.

This isn't an anti-competitive move, no matter how much you might argue otherwise. As I mentioned before, there will be plenty of hardware Linux will be able to use, and non-OEMs are pretty-much guaranteed to give that user and option.

Maybe. We don't know yet. But as hard as you fight to defend them, Microsoft has a known history. Consider that in your arguments.

Quote:

MS doesn't care about Linux on the desktop enough to worry about boot options like this. It is exactly what it says. Securing the boot path. I've had to clean enough nasty stuff off of other people's computers to appreciate that.

MS definitely cares. They hate Linux. They'd love to see it, the GPL, and everything it covers burned and buried. And I have see nothing in the last 10 years that indicates their position has changed.

I have considered that in my arguments. Simply put, MS has been smacked down for anti-competitive practice over a decade ago, and has since learned to be very careful about not overstepping. If there is any EU ruling on this at all, it's very likely going to mandate that all UEFI motherboards must be able to switch to non-secure.

And if you've seen nothing in the last ten years that their position has changed, look at their massive change about acceptance of open source. Hell, they host some pretty major repositories now. Hell, MS has contributed to the Linux kernel and other Linux-oriented code.

Oh I'm sorry, Win 8 takes advantage of new features of UEFI; but the linux community at large is stuck in 1989, and does not support UEFI yet. Therefore Microsoft is evil. Did I do it right?

Linux has been able to use EFI at boot time since early 2000, using the elilo EFI boot loader or, more recently, EFI versions of GRUB.

Well good then. What's the problem again?

Quote:

Quote:

Get over yourselves.

Go away troll.

Yeah. I singed up in 1999 to troll this article.

Quote:

PS: you can't "turn off: UEFI anymore than you can "turn off" BIOS.

PS I know precisely what UEFI is. If the hardware manufacturer does not include BIOS that has nothing to do with Microsoft. Go ahead an refute that. There will be plenty of options for hardware with both, or with just BIOS. Furthermore if someone loves Linux and hates Windows so much, why are they buying a PC designed for Windows (UEFI only perhaps, among other things)?

It's becoming an issue how much of a non-issue this is. Anyone who thinks that there will be no hardware options for people who want to dual-boot OSes is naive at best. If there is a market, the market will be served. Especially, if all that is required to serve the market is enabling an option in the UEFI.

Stop saying "dual-boot" - you're the one who sounds naive. UEFI is built into the motherboard just like BIOS - this is just as much a problem for exclusive Linux users as it is for dual booters.

No. Red Hat and Canonical distribute RPMs/Debs of Grub2 signed with their keys right now. They most definitely don't give me access to those keys. No one has suggested this is a violation of the GPLv3.

Because they are not used to enforce exclusive operation on a system. Currently, it isn't an issue because no systems released with Redhat/Ubuntu loaded on them bar the user from altering the system.

Are you suggesting that if Dell built a computer that could only install Windows 8 and RHEL 6 based on the published keys used to sign the bootloaders, Red Hat would have to stop signing Grub2?

I am in agreement that if Dell ships a system running Ubuntu, they wouldn't be able to employ an exclusive, restrictive bootloader scheme. But, the issue here isn't really on systems that ship with Grub2 bootloaders; it's about whether there's a path to a user installing Linux to a machine with a signed boot path and whether major distros would be able to ship software that could work with such boot paths (without sharing the private keys).

It's becoming an issue how much of a non-issue this is. Anyone who thinks that there will be no hardware options for people who want to dual-boot OSes is naive at best. If there is a market, the market will be served. Especially, if all that is required to serve the market is enabling an option in the UEFI.

Stop saying "dual-boot" - you're the one who sounds naive. UEFI is built into the motherboard just like BIOS - this is just as much a problem for exclusive Linux users as it is for dual booters.

Then if you have an "Other OS" requirement, don't buy a UEFI system unless your magical OS supports it.

The teaser for the Build event was the concept that the Windows 8 shell and user experience were going to be written in Javascript and HTML. In the real event, I can't find any discussion of the shell or user experience for the desktop applications. Even for the Metro apps, there are three UI technology choices, XAML and native code, XAML and managed code, or HTML and Javascript. Clearly much of the Windows organization only understands native code and the Win 32 API. Microsoft was also able to show some results of people actually getting going with HTML and Javascript. But the reality is that XAML is much farther along the path of being useable for substantial applications and the only success Microsoft has had with XAML has been based on managed code. The take away is that it is far from clear what will actually emerge from this effort.Microsoft is under intense pressure to have a competitive offering in the tablet and phone spaces. It is possible to see WinRT getting there in some reasonable resemblance to the image projected at the Build Event. It is much harder to see Microsoft releasing this product into the desktop environment. Even in the phone environment, this product looks like a problem. How are they going to wage an uphill marketing battle for Silverlight based Windows Phone 7 at the same time that they are shouting as loud as they can that everything other than WinRT is yesterday's technology?

I have considered that in my arguments. Simply put, MS has been smacked down for anti-competitive practice over a decade ago, and has since learned to be very careful about not overstepping. If there is any EU ruling on this at all, it's very likely going to mandate that all UEFI motherboards must be able to switch to non-secure.

Rather, they've been careful to be much more underhanded and subtle. They were pretty blunt before, now they're far more careful.

Quote:

And if you've seen nothing in the last ten years that their position has changed, look at their massive change about acceptance of open source. Hell, they host some pretty major repositories now. Hell, MS has contributed to the Linux kernel and other Linux-oriented code.

Either out of necessity or pushing things like "Shared Source." They have desperately tried to co-opt the whole thing and still FUD heavily against Linux and GPL software.

Cabal wrote:

If you can disable required code-signing, it won't be a problem.

IF.

Quote:

PS I know precisely what UEFI is. If the hardware manufacturer does not include BIOS that has nothing to do with Microsoft. Go ahead an refute that. There will be plenty of options for hardware with both, or with just BIOS.

Considering how much force MS can apply to the consumer market, that may shift rapidly.

Quote:

Furthermore if someone loves Linux and hates Windows so much, why are they buying a PC designed for Windows (UEFI only perhaps, among other things)?

Because hardware isn't "designed for Windows." They design hardware, and get it certified for Windows. That certification should not preclude other operating systems.

Cabal wrote:

Then if you have an "Other OS" requirement, don't buy a UEFI system unless your magical OS supports it.

Am I missing something here?

Linux supports UEFI. However, the notion of a preboot environment that refuses to load software except from a handful of companies (assuming they even accept anything but Microsoft) is rather troubling, especially if you can't disable or append keys to the system.